Ingress firewall rules for the Cisco Security Monitoring, Analysis, and Response System

Ingress traffic is traffic that is inbound from a less-trusted network, through a firewall, and on to the Cisco Security Monitoring, Analysis, and Response System. Learn how to configure your customer's ingress firewall rules to reduce the risk of malicious traffic coming from these less-trusted networks.

The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) is a topology-aware SIM product. Because it holds sensitive information, it's important for VARs to configure it to establish authentication, information and rediscovery protocols. This tip covers how to establish ingress firewall rules for CS-MARS.

Learn more about CS-MARS
Establish egress firewall rules for CS-MARS
To simplify the work involved, you should define some network object groups on your firewall. If you're not familiar with this term, think of object groups as variables that you can use while configuring the firewall to make life easier. Rather than referring to a large list of IP addresses or TCP/UDP ports, you can simply refer to a name instead. The following examples use an object group called CORP_NET, which consists of all IP addresses used on your organization's network.

Ingress traffic refers to traffic that is inbound to a firewall (toward CS-MARS) from a less trusted network. Figure 4-1 shows both ingress traffic and egress traffic, or traffic that leaves CS-MARS to go toward the less trusted network.

Figure 4-1 Ingress and Egress Traffic

The following ingress rules are a good starting point for most companies:

Step 1 Permit syslog and SNMP trap traffic (UDP 162 and 514) from security operations (SecOps).
Step 2 Permit NetFlow traffic (UDP 2049) from SecOps.
Step 3 Permit HTTPS (TCP 443) from SecOps if a large number of people will be accessing the web console of MARS to run ad hoc reports. Otherwise, permit HTTPS to a restricted range of addresses.
Step 4 Permit SSH (TCP 22) to a very restricted set of addresses. If the security management network has its own VPN gateway, which might be a function of the firewall, you might want to require administrators to establish a VPN connection before permitting SSH.
Step 5 Permit HTTP (TCP 80) from any monitored web servers running iPlanet or Apache. If you're using NetCache appliances, permit HTTP from it as well.
Step 6 If your MARS deployment consists of multiple MARS LCs that communicate to a centralized MARS GC, permit required management traffic between those systems (TCP 443 and 8444).
Step 7 Deny all other traffic.

Continue reading to learn about egress firewall rules for the Cisco Security Monitoring, Analysis, and Response System (CS-MARS).

Reproduced from Chapter four of the book Security Monitoring with Cisco Security MARS by Gary Halleen and Greg Kellogg. Copyright 2007, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.


This was first published in August 2007

Dig deeper on Network security products, technologies, services

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close